2022 is rapidly turning into a year of censorship: Russian authorities block independent media, forbid single words and turn on criminal cases after illegal wiretapping of telephone conversations.
Can we keep privacy and why can’t Telegram help with this? We deal with information security expert and CEO of Security Services Group Yuri Melashchenko.
What’s wrong with Telegram
Belief in the security of Telegram is largely based on failure Pavel Durov to hand over the keys to decrypt the correspondence of FSB users.
However, the messenger does not encrypt messages by default, although even WhatsApp does. End-to-end encryption can be enabled manually and only in private chats.
“Regular and group chats are not secure end-to-end encryption, that is, Telegram sees your correspondence, and moreover, saves them on servers. If you use this messenger, create “secret chats”, turn on automatic deletion of correspondence and a ban on taking screenshots. But remember that even these restrictions can be bypassed with a second camera phone,” Yuriy Melashchenko explains.
No one can guarantee that the content of regular chats will not fall into the hands of third parties. The code of Telegram servers is closed: it will not be possible to check its security.
You can only create an account using a phone number. This allows attackers intercept SMS to login accounts and associate users with each other.
The messenger is popular due to its intuitive interface and a large number of functions. However, in terms of security and privacy, it has some decent alternatives.
Five encrypted messengers
There are a lot of evaluation criteria. We chose the main ones: the availability of a free version, end-to-end encryption, open source, two-factor authentication, encrypted calls, auto-delete messages.
“These are the main parameters. In addition to them, the possibility of deploying on your own server, countering the attack “human in the middle» and resistance to receiving data with Cellebrite UFEDElcomsoft, Oxygen Software.
Such complexes allow you to read device data, including deleted files and correspondence. Just turn on airplane mode and open the messenger: everything you see is available, ”comments the CEO of the Security Services Group.
In this article, we will look at five free messengers that meet all or most of the above criteria.
one. Signal is an open source messenger from Open Whisper Systems. The project team developed a protocol of the same name, which is also used by WhatsApp.
All chats and calls on Signal are end-to-end encrypted. Users can set up auto-delete messages and sign in with a pin code. Service passed multiple third party audits.
“Signal is considered the most secure messenger. But it also has drawbacks: you need to register by phone number and trust the server owner, who owns the encryption keys. We tried several times to deploy our own server, but the attempts were unsuccessful.
The messenger protects users better than Telegram: if an attacker intercepts the SMS, he will not get access to the correspondence history – it is not on the Signal servers. But it is stored on the device, so you should set a pin code to enter the application. This will help protect data in case of guessing a password to a phone or computer,” notes Yuri Melashchenko.
Platforms: iOS, Android, Windows, Mac and Linux.
2. Wire is a messenger with end-to-end encryption, self-deleting messages and open source.
The developer of the application, Wire Swiss, is a Swiss company that focuses on the corporate market, but provides a free version of Wire Personal for individuals.
To create an account, you will need personal information: phone number or email address. Audit Wire carried out employees of Kudelski Security and X41 D-Sec.
Platforms: iOS, Android, Windows, Mac, Linux and Web.
3. element is an open source messenger with a decentralized structure. It uses the open standard Matrix, which is being developed by the British non-profit organization The Matrix.org Foundation.
The service allows you to create anonymous accounts and send messages to other instant messengers. All chats and calls within the app are end-to-end encrypted.
Users can connect to existing servers and create their own. The latter may turn out to be a disadvantage if the server owner makes a mistake during configuration and further operation.
Platforms: Android, iOS, Windows, Mac, Linux and Web.
4. Briar — P2P messenger for Android open source. By default, it uses the Tor network, but sends messages over Wi-Fi or Bluetooth when there is no Internet connection.
Users can communicate in chats, private groups and forums, as well as write blogs. To register, you need to create a username and password.
You need to add contacts manually – using QR codes or invitation links. If you uninstall the app or forget your login information, you will lose access to the conversation.
Cons of Briar – work only on one platform, severe battery drain and delivery of messages only when both users are online. In addition, Briar does not allow you to add the same contacts through new links: this indicates the presence of a centralized database.
Platforms: Android.
5. Cryptos Private Messenger — messenger with end-to-end encryption, anonymous registration and private external links. It supports the “double bottom” function: the user can create two accounts and log into them with different passwords.
The Kryptos Private Messenger server does not participate in key distribution. The messenger creates a pair of keys for each user and stores them on the device in encrypted form. This approach makes it impossible to conduct a man-in-the-middle attack.
User correspondence is in RAM and is automatically deleted when the application is minimized so that it cannot be read when physically accessing the phone or computer.
The messenger uses its own virtual keyboard and the Fortuna pseudo-random number generator created by Bruce Schneier and Niels Ferguson. It reads gyroscope, timer and user input data to avoid potential system PRNG vulnerabilities.
“The virtual keyboard is an additional countermeasure against UFED devices. Built-in keyboards remember every word you’ve ever typed on your device. With phone access you can get it this dictionary, even if you wrote messages in the messenger with end-to-end encryption, ”says the CEO of Security Services Group.
Kryptos Private Messenger is in its early stages of development: it supports text and voice communications, file sending, personal chats and groups.
At the moment, the Kryptos team is looking for investments to create a project with a federated server system and a private cryptocurrency.
The developers plan to add call support to the messenger, improve the interface and completely open the application code.
Platforms: iOS, Android and Web.
General Digital Security Tips
- Download applications only from official stores, while choosing messengers with end-to-end encryption.
- Do not give too much information about yourself: register accounts for virtual phone numbers and disposable mailboxes. If you are using real data, make the profile available only to your contacts.
- If you have been contacted from an unfamiliar account, be sure to call back to confirm the identity of the interlocutor.
- Do not click on links or download files, even if your friend sent them. Ask by phone or in another messenger if it really was him.
- Disable sending backup copies of correspondence to the cloud – not all applications store them in encrypted form.
- Set a pin code or password to enter the messenger. Set up two-factor authentication if the app supports it.
- Do not send sensitive information in messengers. You do not know if the interlocutor deletes the correspondence, and whether third parties have access to it.
Subscribe to Cryplogger news in Telegram: Cryplogger Feed – the entire news feed, Cryplogger — the most important news, infographics and opinions.
Found a mistake in the text? Select it and press CTRL+ENTER
